Twitter developer platform search field vulnerable to XSS

Monday, 6 September 2010

*1st UPDATE* - Security researcher Mike Bailey (mckt) has produced a simple proof of concept which silently exploits this XSS. Basically, any Twitter user who clicks on the button will post a tweet reading

*2nd UPDATE* - As Stefan Tanase from Kaspersky Labs wrote in the news article "Τwitter XSS in the wild", cybercriminals - maybe of Brazilian origin - maliciously leveraged and exploited this Twitter XSS to steal user cookies and transfer them to two specific servers. According to bit.ly short link statistics, they have managed in a very short time to compromise more than 100.000 Twitter accounts by urging users to click on their link with a short tweet that read in portoguese "Pe Lanza da banda Restart sofre acidente tragico" (Pop band Restart suffering a tragic accident):